From April 2022 to November 2023, Russian state-sponsored hackers, identified as APT28, have been conducting NTLM v2 hash relay attacks on high-value organizations worldwide. The group has targeted a variety of sectors, including foreign affairs, energy, defense, and transportation, as well as those dealing with social welfare, finance, and local government. Cybersecurity firm Trend Micro has described these attacks as a 'cost-efficient method of automating attempts to brute-force its way into the networks' of these targets. The firm suggests that the adversary may have compromised thousands of email accounts over time.
APT28, which is also known by a variety of other names, such as Blue Athena, Fancy Bear, and Pawn Storm, among others, is believed to have been active since 2009. The group is reportedly operated by Russia's GRU military intelligence service and is known for orchestrating spear-phishing attacks containing malicious attachments to activate infection chains. In April 2023, APT28 was implicated in attacks that exploited now-patched vulnerabilities in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets.
In December, the group exploited a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831, CVSS score: 7.8) to access a user's Net-NTLMv2 hash and use it to stage an NTLM Relay attack against another service to authenticate as the user. An exploit for CVE-2023-23397 was reportedly used to target Ukrainian entities as early as April 2022, according to a March 2023 advisory from CERT-EU.
The group has also been seen using lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. They have also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy backdoors and information stealers like OCEANMAP, MASEPIE, and STEELHOOK.
A notable aspect of the group's attacks is their continuous efforts to refine their operational playbook and evade detection. This includes the use of anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers for scanning and probing activities. Another tactic involves sending spear-phishing messages from compromised email accounts over Tor or VPN.
Security researchers Feike Hacquebord and Fernando Merces noted that 'Pawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites.' They also observed that part of the group's post-exploitation activities involve modifying folder permissions within the victim's mailbox, enhancing persistence. Using the victim's email accounts, lateral movement is possible by sending additional malicious email messages from within the victim organization.
It is currently unclear if the threat actor themselves breached these routers, or if they are using routers that were already compromised by a third-party actor. However, it is estimated that at least 100 EdgeOS routers have been infected. Additionally, recent credential harvesting campaigns against European governments have used bogus login pages mimicking Microsoft Outlook that are hosted on webhook[.]site URLs, a pattern previously attributed to the group.
In an October 2022 phishing campaign, the group singled out embassies and other high-profile entities to deliver a 'simple' information stealer via emails that captured files matching specific extensions and exfiltrated them to a free file-sharing service named Keep.sh.
The researchers noted that 'The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations.'
In related news, Recorded Future News revealed an ongoing hacking campaign undertaken by the Russian threat actor COLDRIVER (aka Calisto, Iron Frontier, or Star Blizzard) that impersonates researchers and academics to redirect prospective victims to credential harvesting pages.